SharePoint Online Quick Start Guide

Leave a comment

I’m working on an Office 365 adoption project, specifically, helping end users adopt SharePoint. One of the objectives is to provide the end users with a quick one-page guide to SharePoint library / list navigation. I searched and could not find what I was looking for. So, I decided to create one myself.

Here’s a screenshot of what I created.

SharePoint Online Quick Start

You can download the SharePoint Online Quick Start Guide here.

Thanks for reading!

Advertisements

Create Office 365 Groups Naming Policy

Leave a comment

As we see greater interest from our clients in Teams, I’ve turned my attention to Office 365 groups administration, specifically on groups naming policy.

To create a naming policy for groups in your Office 365 tenant, you’ll need to use PowerShell.

I followed these instructions to view the current naming policy settings in my tenant by typing the following command:

$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value “Group.Unified” -EQ).id

I expected to get some values, but I got this wonderful error instead:

O365GroupNamingPolicySettingsError

So, where did I go from here?

I started to breakdown the command above, by running just the Get-AzureDirectorySetting.

It returned nothing. This tells me that there are no settings currently in place.

So, I had to configure the groups settings in my Office 365 tenant.

To do that, I could get the available template IDs by typing Get-AzureAdDirectorySettingTemplate or use the DisplayName value for “Group.Unified”

AzureADTemplateSettings

To Create a Naming Policy

I followed these steps to complete the creation of my naming policy:

  1. Create a new settings object for the Group.Unified template
  2. Configure the object to allow guests access (You could apply additional settings or leave this step out completely.)
  3. Set my settings to the new object

GroupsSettings

I applied the groups naming policy as seen in the below screenshot.

O365GroupNamingPolicySettings2

 

In OWA, I could see the new settings in effect. Be sure to use an account not in these administrator roles: Global Admin, Partner Tier 1 and 2 Support, User Account Admin, or Directory Writers to test the policy.

O365GroupNameOWA

In summary, creating a naming policy can help users identify and categorize groups in the address book and enforces a consistent naming standard for Office 365 groups in your organization.

The naming policy is applied to groups created in Outlook, Microsoft Teams, SharePoint, Planner, Microsoft Stream, Dynamics 365 for Customer Engagement, Power BI, and many others.

Azure Active Directory (Azure AD) attributes are used in the creation of this policy. The supported attributes are [Department], [Company], [Office], [StateOrProvince], [CountryOrRegion], and [Title].

If you include these attributes in your naming policy, keep in mind that the total length of these prefixes and suffixes is restricted to 53 characters.

Thanks for reading!

Prepare for GDPR – Protect Your Most Sensitive Data with Azure Information Protection

Leave a comment

The main objective of General Data Protection Regulation (GDPR) is to protect all European Union (EU) citizens from privacy and data breaches. This regulation impacts every organization located in the EU and it also applies to organizations located outside of the EU if they offer goods or services to EU data subjects. To ensure that there is proper security of such data, you should consider implementing solutions and processes that enable you to identify, classify, and protect data regardless of where it resides.

My most recent work has provided me with an opportunity to work with Microsoft Azure Information Protection (AIP) in Office 365. This technology provides persistent data protection, by classifying, labeling, and protecting documents and emails. In my previous posts, Classifying Data with Azure Information (AIP) – Introduction and Classifying and Protecting Data in Office 365, I provided an overview of AIP including descriptions of labels, how they are created, and how to classify your documents and emails. Additionally, Azure Rights Management (Azure RMS), the protection technology used by AIP, allows for encryption and authorization, ensuring users must successfully authenticate to access the documents and emails.

What are labels?

In AIP, a classification label is used to identify data based on its level of sensitivity and the impact to your business.  Most common sensitivity levels are categorized as restricted, confidential, official use, and public.

Unified Labeling and Protection

If you’ve worked with Office 365 and Azure Information Protection in the past, you may have noticed that there are two different technologies where labels can be created in Security and Compliance Center and Azure portal; this caused quite a bit of confusion of when to use which technology. Microsoft has been working towards providing a more consistent classification, labeling, and protection model that will be used across Office 365 and AIP.

The consistent protection model Private Preview will start soon, no announcement has been made as to when this will be generally available. The consistent labeling model will help ensure that sensitivity labels are recognized across Azure Information Protection, Office 365 Advanced Data Governance, Office 365 DLP and Microsoft Cloud App Security.

The following images show one central location where a label can be created, protection can be configured, and a retention policy can be applied.

Automatic Labeling (Classification)

The ability to automatically classify data is a critical part of helping organizations achieve GDPR goals. Azure Information Protection has 80+ built-in sensitive information types that can be used to detect and classify your data. Microsoft is working on releasing a GDPR template which will include additional information types such as addresses, telephone numbers, and medical information to help detect and classify personal data relevant to GDPR. This new sensitive information template will make it simpler to detect, classify, and protect GDPR related personal data.

Closing

The European Union’s General Data Protection Regulation (GDPR) will be enforced on May 25, 2018. Organizations can be fined up to 4% of annual global turnover or €20 million for breaching GDPR. If your organization collects, hosts, or analyzes personal data of EU residents, you should not delay in implementing solutions to ensure compliance with GDPR.

Azure Information Protection Automatic Classification

Leave a comment

Another interesting behavior I came across when adding conditions and the way labels are applied.

My Confidential AIP labels are configured as shown below.

LabelOrder

I configured the parent label (Confidential) to automatically classify documents.

LabelConditions

I entered the text below to trigger one of the conditions. I noticed that the document was labeled as ‘Confidential \ Restricted’ which is the last child label listed in my AIP portal. Well, this was, obviously, not what I expected.

ConditionChild

To further test if it will always default to the last child label, I reordered the child labels. I moved the ‘Restricted’ child label up and now ‘Anyone (not protected)’ is listed as the last child label.

LabelOrderAfter

Just as I expected, the new document was labeled as ‘Confidential \ Anyone (not protected)’ automatically.

ConditionLastChild

In this experience, I learned that I need to configure the conditions at the specific child label level to get the anticipated results.

Thanks for reading!

 

Azure Information Protection Client Preview 1.21.203.0 – Visual Marking Variables

Leave a comment

I had the opportunity to install the latest release of the new Azure Information Protection client PREVIEW 1.21.203.0, which can be downloaded here.

One of new features included with this client release is the ability to apply different visual markings for Word, Excel, PowerPoint, and Outlook. I’m not sure how business users will take advantage of this, but I had to try it out.

In my Azure Portal, I configured my Confidential \ All Employees label to apply specific watermark to Word and PowerPoint, and a different watermark to Excel. Keep in mind that watermarks are not supported in Outlook.

AIPPreviewVisualMarkings

When a document is classified as Confidential \ All Employees, the watermark is displayed as:

Word: This content is Confidential

AIPPreviewWord

PowerPoint: This content is Confidential

AIPPreviewPowerPoint

Excel: Confidential

AIPPreviewExcel

Thanks for reading!

Azure Information Protection Administrator Role

Leave a comment

Great news for organizations that have concerns about granting Global Admin or Security Admin rights to users who need to manage Azure Information Protection policy.

The Azure Active Directory team have added a new role named Information Protection Administrator.  Members of this role can manage Azure Information Protection labels and policies using Azure portal, and use RMS PowerShell

Note that the role is currently in public preview.

AIPAdministrator

Great news!!

Encrypt E-mail with Attachments

Leave a comment

As I continue to test different settings in Azure Information Protection, I want to share one that I find interesting.

I configured AIP for e-mail message with attachments to automatically apply a label that matches the highest classification of those attachments.

I created an e-mail where a default label ‘Official Use’ is automatically applied to my e-mail message. I then attached a document classified as ‘Restricted’, the classification of my e-mail message automatic changed to ‘Restricted \ All Employees’. This is the expected behavior.

I then sent the e-mail with the attachment to a trusted partner (in this case myself with a different domain) which I have configured ‘Viewer’ rights to view and reply the e-mail and the attachment.

Below is the e-mail message I sent to the trusted partner.

EmailRestrictedAttachment

However, when the trusted partner (again, myself with a different domain) received the e-mail and tried to click on the ‘Read the message’ link (image below shows e-mail message received by the trusted partner), the trusted partner received “You do not have permission to view this message.”

EncryptedMessage

After much testing, in order to allow my trusted partner to read the message, I had to change permissions from ‘Viewer’ to ‘Reviewer’ in Azure Information Protection.

As I continue to work with Azure Information Protection, I find myself learning new things every day.

Thanks for reading!

Older Entries